[Snort-users] pass rule problem

alexh at ...1207... alexh at ...1207...
Thu Jan 25 09:09:41 EST 2001


Hi,

I've just upgraded to 1.7, which is nice[1], but I'm having a problem getting
pass rules to work.

With 1.6, I would use the rules

    pass tcp any  80 -> $HOME_NET any
    pass tcp any any -> $HOME_NET 80

    # [snip other pass rules]

    log tcp any any -> $HOME_NET :1023

to exclude web traffic from the logs. This worked fine.

However, using exactly the same rules with snort1.7, web traffic *is* being
logged.

After much commenting out of rules, I am sure that these are the culprits.
I tried altering the pass rules to

    pass tcp any 80 <> any any

but it made no difference. Am I just being my usual stupid self, or is there
a less humiliating explanation, I wonder?

[1] -- I may be understating here.
-- 
Alex Hooper
Senior Programmer
Clockwork Web.
+44 20 7471 0770
http://www.clockworkweb.com




More information about the Snort-users mailing list